A threat actor has put some 15 million people at risk by managing to link their private email addresses with public data from their Trello accounts.
A hacker with the alias “emo” took to a popular hacking forum recently, where they offered a database of more than 15 million Trello members for sale.
“Contains emails, usernames, full names and other account info. 15,115,516 unique lines,” BleepingComputer cited the ad. “Selling one copy to whoever wants it, message on me onsite or on telegram if you’re interested.”
Abusing APIs
Trello has now came forward with a statement, saying its systems were not breached, and that the information in the database was public and scraped.
“All evidence points to a threat actor testing a preexisting list of email addresses against publicly available Trello user profiles,” Trello’s owner, Atlassian, said in a statement.
“We are conducting an exhaustive investigation and have not found any evidence of unauthorized access of Trello or user profiles.
However, this might not be entirely correct. Emo told the media that they used a publicly exposed API to link email addresses to public Trello profiles.
The problem here is that hackers can now know which email address was used to create a Trello account, information which can be abused in targeted and highly sophisticated phishing attacks. Knowing that Trello is a project management board used mostly by professionals only makes it more dangerous.
